Splunk® Security Content

Release Notes

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Security Content. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

What's new

Enterprise Security Content Updates v3.49.0 was released on September 20, 2022. It includes the following enhancements.

New analytic story

  • Azure Active Directory Persistence
  • Brute Ratel C4
  • CISA AA22-257A

New analytics

  • Azure AD External Guest User Invited
  • Azure AD Global Administrator Role Assigned
  • Azure AD Multiple Failed MFA Requests For User
  • Azure AD New Custom Domain Added
  • Azure AD New Federated Domain Added
  • Azure AD Privileged Role Assigned
  • Azure AD Service Principal Created
  • Azure AD Service Principal Credentials Added
  • Azure AD Service Principal Owner Added
  • Azure AD User Enabled And Password Reset
  • Azure AD User ImmutableId Attribute Updated
  • Azure Automation Account Created
  • Azure Automation Runbook Created
  • Azure Runbook Webhook Created
  • Windows Access Token Manipulation SeDebugPrivilege
  • Windows Access Token Manipulation Winlogon Duplicate Token Handle
  • Windows Access Token Winlogon Duplicate Handle In Uncommon Path
  • Windows Defacement Modify Transcodedwallpaper File
  • Windows Event Triggered Image File Execution Options Injection
  • Windows Gather Victim Identity SAM Info
  • Windows Hijack Execution Flow Version Dll Side Load
  • Windows Input Capture Using Credential UI Dll
  • Windows Phishing Recent ISO Exec Registry
  • Windows Process Injection With Public Source Path
  • Windows Protocol Tunneling with Plink
  • Windows Remote Access Software BRC4 Loaded Dll
  • Windows Service Deletion In Registry
  • Windows System Binary Proxy Execution Compiled HTML File Decompile

Updated analytics

  • AdsiSearcher Account Discovery
  • Get ADUser with PowerShell Script Block (Thanks to @TheLawsOfChaos)
  • Get DomainUser with PowerShell Script Block (Thanks to @TheLawsOfChaos)
  • High Process Termination Frequency
  • Linux Persistence and Privilege Escalation Risk Behavior
  • Living Off The Land
  • Log4Shell CVE-2021-44228 Exploitation
  • Recursive Delete of Directory in Batch CMD (Thanks to @TheLawsOfChaos)
  • Remote Process Instantiation via WMI and PowerShell Script Block (Thanks to @TheLawsOfChaos)
  • Svchost LOLBAS Execution Process Spawn (Thanks to @swe)

Other updates

  • The correlations based on risk datamodel have RBA: in the rule title (e.g., RBA: Living Off The Land) and RIR in the correlation search label (e.g., ESCU - RIR - Living Off The Land - Rule)
Last modified on 16 September, 2022
  NEXT
What's in Splunk Security Content

This documentation applies to the following versions of Splunk® Security Content: 3.49.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters